> This baseline 12-character minimum means folks won’t be tempted to reuse their insecure (but technically complex!) 8-character password mullets from other sites.
Instead they'll re-use their insecure (but technically complex!) 12-character passwords from other sites. So much better. /s
Face it: passwords suck. They're far too easy to misuse (re-using compromised[1] passwords from other services) and far too difficult to use correctly (long, random, unique passwords for every service). At this point I'm inclined to support just about any alternative that isn't even more horribly flawed.
Ideally yeah, an open source solution would be preferred. WebAuthn nearly has this solved for the web; we just need a cross-platform authenticator for it. For local device logins (such as to Windows PCs) neither WebAuthn nor password managers work particularly well, so I'm glad Microsoft is exploring alternatives there.
> long, random, unique passwords for every service
Using a password manager is not that difficult. Then you really have to worry about one password, the one to unlock the password manager, and don't even have to think about the others. There are plenty of open source password manager to choose from.
Well, the master password... and all the passwords you can't store in the pass manager. Like the Windows log-in password, the Bitlocker password, your cell phone PIN, (your bank card PIN)...
Password managers help mitigate the second problem (passwords being hard to use correctly) but do absolutely nothing for the first one (passwords being easy for users to shoot themselves in the foot with by using them incorrectly). Even the most user-friendly, well-designed password manager is still less convenient than just re-using the same password everywhere.
Instead they'll re-use their insecure (but technically complex!) 12-character passwords from other sites. So much better. /s
Face it: passwords suck. They're far too easy to misuse (re-using compromised[1] passwords from other services) and far too difficult to use correctly (long, random, unique passwords for every service). At this point I'm inclined to support just about any alternative that isn't even more horribly flawed.
Ideally yeah, an open source solution would be preferred. WebAuthn nearly has this solved for the web; we just need a cross-platform authenticator for it. For local device logins (such as to Windows PCs) neither WebAuthn nor password managers work particularly well, so I'm glad Microsoft is exploring alternatives there.
[1]: https://haveibeenpwned.com/Passwords